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Firewall Control For Secure Private Networks 



The present invent ioa relates generally to securely 
> n * s v - - *.■*■<- ot \ ' i ! \ ! - a 

private network, the pinhole for use in communicating via 
Voice-over IP telephony. 



C~uG-h OF 

re defined by the Media Gateway 
storking Group, a typical < node! 



translation and madia gateway controllers; (HGCs) tocusxng 
on call signaling and call processing functions. 

Voice-over IP {VoIP} calls, sometimes referred to as 
tr.tt.rncr t* - < , a 

media 9at.ew.3y controllers, a media gateway control path 
between mcCi a ~> t j s is wa v > 5 

bearer path. The call signaling path transfers call 

. 5 setup connect and process a 
call. The media gateway control path la used by Che ice die 
;nrtew -v , rt- Gl 1 e> with fc&e tu«>. 

under its control. The bearer path is the actual voice 
data connect! oe over which a conversation may take place, 
t media gateway port nay have only one associated Taenia 
gateway cents oiler , 

Private net 0 * - $ 

J u ? ic netoct st ■ - 

firewalls that only permit certain pre-approved packet 
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streams through p N ^ , A 

pinhole opening in a firex<?all may also be referred to as a 
packet filter. Data packets are routed (or denied, routing) 
based on,- among other things , tine source and destination 
5 address in the packet header including the port number, 

criteria are a set of rules where each data packet is 

10 , a i inspection and subjects dasa packet content as 
well as data packet header ird: oraat ion to toe filtering 
roles that define the pinhole openings in the firewall . 

Typically a firewall is directly controlled by a 
System administrator or the like through a pre-defined set 
.1.5 of approved address pairs. Dynamic firewall control on a 

;iM bssi s desired foi secure ¥oI£ telephony between 
-o, <ocr sc « d- ■ sloe of a firewall. " uO ! > t a 

present firewall control scheme does not permit remote- 
dynamic control of a firewall from another private, network 
2D entity. 

Given the nature of the security risk and tine design 
of - 19 c stews, - wa'i u; be cj i lily modified on 
a per call basis in order to avoid security breaches, 
i . NN ' ~o- " * : * a s as I ^o 

25 \ »o t jo i.x«h ars 53 a& 

externa, i 1 o-- ~ = c . - v. < i > vt , 

protocol must explicitly inform she firewall. 

s ,. ^- ^ v 5 - 1 

:>me time 1 ? so 
30 however, implies continuous netwcrh infrastructure upgrades 
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as ne-w protocols a uroduc* 

fra,?r.roc:ure;r .i^crscisss the cost of 
the velocity of new service deployments . Alternatively,. 

5 t f a 1 , 1 *; ee~ a 

e r £ I rte network for a a 
Uaf ortu.n?.5te.l-y , these implementations possess performance 
characteristics char cannot meec aha requirements of VoIP 
10 ssiedia s breams. 

^ m - ' eM v - manage & 

eh V u, a . > \vO 
communication between endpoints on the private network and 
acupoints on a network beyond the firewall do not 
16 compromise the security of the private network , 

ffBMwaRy of tb b mmmxm 

In 5 i < - t $ eat sap - a o 

network firewall, as if it were a media gateway network 
20 entity. Doing so allows -media gateway controllers to 
exchange eeasaoee with the firewall for purposes of 
securely setting up and tearing down pinholes in the 
firewall. Thus, a fi±rew*13 t 
another nstwork err it: y broadly u arced a tkirewali controller 
25 no c c -< - - - •» o be, call 

server. With this ability cores the ability to provide 
v- v s. x c i i networks, 

A call, server that is approving the VoIP cotumuaication 
-s. * r- - o , v. „ a. 

30 ss ea a pinhole filter for 
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a specific source: and de©t:.tiati©u address pair. The 

tea Is then d s-a 
complete . 'The pinhole, open and pinhole close requests : >rs 
taads using Ither an MGCP iH,24S} or 1 in ; ge j 
5 According to ono embodiment of the invention is a 

method of remotely controlling a firewall free a firewall 
controller in order to permit the flow of packet data 

cell server in a VoIP telephony system such as a rued! a 
.1.0 gateway control tar. The method i:cc lades having the 

firewall cent rolls r d M pirn t the 

\ i t the 
secure side of the firewall either wishes to place a call 
to ei.de .to iiirewaii ox reo ive call from 

13 an sndpoirt outside the firewall. Both of these events are 
made known to the media gateway sndpoirt 's call server.. 
The firewall controller sends a request to the firewall 

i t f l * - oe x i c ~ 1 - •- > v i i ii •> , 

' o; - i \^ Ua g itewey 

20 v c , ? a in the call. The firewall carries out 

the request: and opens a pinhole. Upon terninstion of the 
" , f i ai s pinhole 

la ^ s t to the f 1.3 sal] to 

close the pinhole. The firewall then closes the pinhole. 
25 o , . >v ^ t ;re t to e \t \ 5 >o 

j l 5 in tl „ art 

ipon review o II 5 

embodiments of the invention, in conjunction with the 
accompanying f i gores . 

3 0 
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FXSCIRE 3 i typical i t 

Gateway Control (KEC1AC0) architecture illustrating a packet 
data network call. 
5 FIGURE 2 is one rework arircdimenc at an arcMcecture 

illustrating a packet data network call bprv.-eat a grlvu-a-- 

' t public natwt that are se? a 

ri.rewall . 

FIGURE 3 is a fioMhart IIus* , m 1 ogi< among 
10 s k rXGUEE 2. 

Df TAILED DIS 

One aspect of the HO 248 Protocol is to control media 
gateways {HQs) for data packet networks utilising call 
15 control elements and intelligence external to the media 

gateways;. The external call control elements are generally 
referred to as media gateway controllers (HGCs) , This 
includes, but is not limited to, voice over IP (VoIP) , 
Voice- cn \ ■> ~ I Wo ca-ovej arn 

20 genera.] pack ; dafn -l no 

n media gateway ;MG) in a packet telephony system is a 
netw slament t o as be? een the tdic 

signals ca:; ed > stand 5 witched circuit networks and 
>>i c\ tc o . t . - e -- a c ; k< data 

2S net-w— t H.248 assumes r.hai: the media gateway controllers 

tr - " v e> e ce,>n< y1 

to the media gateways under their control. As such, HI 248 
does not define a mechanism i:or coordinating media gateway 
oo"t ,od ( o? ~~ci ^ > as- 

3 0 protocol, where the media gateways are expected to execute 
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commands sent by the media, gateway controllers and report 
evsrJ fic use by t 

further assumes a connection model where the basic 
;:o i 'uets are endpoi o;d : its 3 re 

5 out - o\ s 

>ua; - 1 endpsij , on 

a media gateway that terminates a trunk connected tc a PSTh 

that terminatss crunks is called a trunk gateway. Another 
10 example of e physical endpoiat. is an interface on a redie 

gateway that terminates an analog POTS (Plain Old Telephone 
Service) connection to a phone., key system, PBa, etc, A 
media gateway that terminates residential POTS lines (to 
phones; is called a residential POTS gateway or a loop 
15 access; gateway. An example of a virtual endpoint is an 
audio source in an audio-content server . Creation of 

«. at^on rhh 

on of virtual ends &<& « »e y $< Efeware: 

HS24 8 is designed as an Internal protocol within a 
2 0 < tsar ^poears to the outside as a single 

media gateway- The model is coopered of a madia gateway 
c« n hi er, that may or m I ovex s veral 

> of a a* t 

typical cent IguratioiP the distributed gateway system will 
2 5 interface or; one side with one or more eel aphony (i.e. 

circuit) switches, and on the other side with H,3.23 or SIP 

conformant systems > 

In the H.24S model, the media gateways focus on the 

audio signal translation reaction, while the madia gateway 
30 controllers handle the call signaling and call processing 
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functions > As a result, the media gateway controller 
i :upl. ements the "signaling" layers? of "he I-I.523 :^ri;Ki. ; -d, 
and presen s ifcseJ a r H > 5 Gat« rpea " ox > , ^ or 
more " R . 3 2 3 Reap o i n t s " to t h s H, 323 s y s t. ems . 

H.248 assuees a connection model where the basic 
constructs ars cndp.co.ois aod concoctions . Connections are 



Connections ray be eitner pornt -to-point or xo.eiis- 
poinfc . A point-to-point conxiection is an association. 

pose of transmit t ng data 

established for both ondpoints, data transfer hot. ween these 
endpoinso can take place. A malt i -point connection is 
established by connecting the endpoint to a mulii -point 
session ♦ 

Connections car; be established over several types of 

<- oi m<3 > 

packets using RIP and u'DP over an IP network; transmission 
of audio packets using AAU2, ox- another adaptation layer, 

, ? ko~s Ouu en 
incernal connection, tor srampla ehe TDM backplane or she 
inter -connect: ion bus of a gateway (this is used, in 
particular , for "ha i rod. n " connect loan , connect ions that 
} <. 3 <= f routed r; 

the telephone network} , 
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Yet aaothe Is nop v. c 

.A firewall is a construct within a private netvork that is 
typically used to separata a public access network from the 

S private network from unauthorised access while permitting 
specific data transfers (e.g.,. voIP calls) between the 
public network and private network. Thus, a firewall can 

' rea 'no It as 5 r c; adpc n, As such, it can 
.10 u * 3 0 ox- , a. a-. - v. . - . . o( > > a It 

gateway controller . 

FIG'tlRE- 1 • h ntro 

(MEGACO) network architecture in which, a single snsaia 
gateway controller 110 is utilised to control a call 
15 between a pair of media gateways 13 OA, 120B. In. this 
ample the on 1 3 iq eaopox , s un s>o <^ - 
within the ruLlre switel i .h 

SVU B C i d t a< 

which are not shown, A call signaling path (shown as a 
20 dotted line) is responsible for transferring call control 
data necessary to setup, connect and process a call. The 

13 OA} 

within the PSTh 140 into a a.ianaliag gateway ISO linked to 

a packet data network ISO Ce.g, ,. the Internet) into media 
25 gateway controller 110 and chert back sown to the other 

.roar tec swi oh 13 0B) via packet data network ISO and 

signaling gateway ISO to the PSTk 14 0, 

The bearer path is the actual voice/data oouneotion 

over which a conversation -nay take place. It also runs 
30 from mm switch endpoint 130A to PSTN switch endpolnt 
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X30B. Howev-ar, its roues -1b different: froai the call 
signaling path. The bearer path leaves? PSTH switch 

5 H \ , i C A to 

packet data network ISO which is linked to a second media 
5 gateway 1208. Media gateway 120B then relays the bearer 
path to PSTH switch end-point 130B, 

Media gateway controller 110 control a media gateways 
12 OA, 12 OS. To do so, however, requires a media gateway 
xaatrol pro ct i 12 S ) 
10 HQ and each media gateway 12 OA, 120.8. 

Thus, media getaway controller 110 has bearer path 
roug* 5 v?ay 12Q&* 1208 via th 

gateway control protocol link 125. Bearer path access is 
needed in order to detect specific events. Once a specific 
15 event is detected, media gateway controller 110 can issue 
call control commands or instructions to each endpoint 
136A, 13QB via the call signaling path IBS. 

FXGtms 2 is an arcane ion of FXSSKB 1 in that a 
firewall is added to the network architecture. The firewall 
20 is treated similar to redi - way in tha i can 
receive arc ^ei s s ia gateway 

controller > 

On the private network aide there is a media gateway 
controller 205 fdv-r.. can Sanction as an XP PBX Call Server.. 

25 Media gateway controller 205 is operative ly connected to at 
least one media gateway endpoint 210 which can be an IP 
telephony device or a computer having IP telephony 
capability. The connection between media gacvaay 
controller 205 and media gateway endpoint 210 is via a 

30 media gateway control path 2 IS . i a y c t roller 
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2QB is also a node on a Local Area Network (LAM) 228. 

H clia jati ay :oa roile:> 205 ; 5,1s operative ly connected 

to a firewall 225 via a firewall control path 230, 

The public network aids of the architecture shown in 
5 FIGURE 2 .1:. , , a for ceroripc ve purposes- 'Ik:.: ; ^v(U 

invention centers mainly on the signaling among media 
is 205 

specif xcaily firewall 225. The public network side 
inc'iuc i packet d etwotk 2S0 are* a- the . * net, a 

Office LP Co;] Ss:r< r that serves othsj media jatesa} 

x N 2 SO 2v,3 •< < 270 , 

Private side media gateway controller 205 and public 

roller 255 e c 5 * with 

13 one another over a call signaling path 280 potentially via 
art optional secure tunnel sue) ay a iPSec session pre- 
authoriaed through the firewall . 

Media gateway controller SOS Is the entity responsible 
for approving communication stream requests emanating from 

20 or terminating to media p&fceway endpoint (a) 210 within, the 
private network. When a madia gateway endpoint 210 wants 
to place a call, it initially reports an off. hook event to 
reek; g.n-.wny controller 205. K s e>nt the. user keys in the 
number on the media gateway endpoint 210 he or she wishes 

25 to connect to. if the number is representative of another 
internal media gateway endpoint then media gateway 
controller 205 which is functioning as the IP PBX call 
server need not involve firewall 22S . Otherwise, if the 
camber is representative of a media gateway endpoint 2 SO 

30 outside the private network, cben madia gafsvay controller 
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J oi^i.. " 

gateway controller 205, which is within the private 

network, communicates with media gateway controller 2SS via 

5 call signaling path 280 in order to define the destination 

Sim . 5 O.i he mirg t a pri\ s side 

media gateway 210, private aids media gateway concaoiier 
205 is contacted first by public network media gateway 

10 controller 255. The media gateway controllers 205,255 

exchange call signaling information regarding media gateway 
andpoiats 210,260, 

At this point, media gateway controller 205 sends a 
request massage to firewall 225 over a control path 230 

12 , - v 22 „< -uw 5 i fa It- - ,d o',v 

atimmnic&ztvrx over bearer path 2S0. Communication will be 
between the network address pair oca: re spending to media 
gateway endpointa 210 and 260 in the private network and 
» >" j network respect! veiyu These endpcints were 

20 previously defined in an archaaga between media gateway 
a at - a, .r h, ad 2S5. 

205 

and firewall 225 can be achieved using either the H.248 
control protocol or the Common Open Policy Services (COM) 

25 protocol. If H.248 is implemented then she firewall would 
lead to be 3,24 i for 

instance, an open connection request. The IP PBX call 
server (media gateway controller 205} would have to 
sc si en the firewall as 

3 0 eeivsd from a mad pj veto 
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network. If COPS is - o then the IP I?BX call 

server (media gem eay controller 205} would be enhanced to 

; messages that need to be exchanged between media 
5 gateway controller 205 srm; firewall 225 relate to the 

Once the •> e* receives a reqaesl: iKssage to create 
a pinhole it a k - the request and acknowledges the 
creation of the pinhole back to media gat sway controller 
10 .205. Now media gateway controller 205 can. continue with 

O ' ] v * „ > < "5 t ^ ^ 

gateway controller 2 OS detects the to rains tion via well 
IS known call signaling techniques and sends a request message 
to firewall 225 requesting that: the pinhole be closed as 
there is no longer a need tor it. Firewall. 22S immediately 
closes the pinhole securing the private network, 

FIGURE 3 in a flowchart illustrating the logic among 
20 the net* -> - T * "% *F 2, Initially, 

the private network media gateway controller determines the 

* < t „u „ [ i lie - . ' ^ i 

is the rest - r i r« ^ , a taedi 

gateway controllers in the private and public network , 
25 Bach media gateway c oile is at leas^ one media 

gateway enhpoiat . 

N - ' > - <?ey end cint in one netwos - wishes to 
» > e w 1 pi cs a- V call afed& 
gateway endpoint in another network, their respective media 
30 - v v. - - 
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o p o o - i t r ^ ^ i o , * i ■. - * > 

endpoints. The private network media gateway controller 
will either receive a request from one of: its; media gateway 
endp s J t , o ooiT ( i 

5 l ~ A ! v " \ V M > C 

tequ . - - i = a.:eway cent Informing the 

private media gateway controller that 3. remote media. 

< - - s ^ the 

private network media gateway controller' a media gateway 

10 endpoints . 

When either request is received, the private network 
media gateway controller hirst determines whether the 
source and destination endpoints are both within the 
private network. If they are, then the firewall need not: 

15 be involved in setting ipy the call. If, however, one of 

the endpoints { either the source or destination) Is outside 
the private network firewall, the private network, madia 
gateway controller realises the need for a pinhole opening 
in the firewall and requests that a pinhole he opened for a 

2 0 l i i i *\ < 310. Upon 

receiving the request the firewall opens the pinhole for 
the specific address pair 315. At this point, the private 
network media gateway controller sets up the call 320 using 
the pinhole filter lust established. The source and 

25 destination media gateway endpoints may now communicate via 
VoIP, The private network is still protected by the 
firewall a lace a dynamic pinhole has been approved for this 
st - c • call oti 0ui ^r^- 

connectior: is tee- down between the endpoints 32S . At the 
3:0 _ he r, < %y cont rol ei 
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realises that Un p flhol- fs™ > ;". ra danger >en 330 

and requests that the firewall close the pinhole 335. The 

Media gateway controller 203 can be replaced by an 

an apparatus would foe ahle to remotely crmreaad a firewall 
? 15 - " ^ , o a" - when 

10 iO ' x \ ^ ' i < ? s > > 

o- i , 3 1 i . ^ < ^ v : - i 

application. It can be used to approve and eeaxaye data 
ingaxs of. al * s be twee rew< add ; hrs la 
private and public networks.. 
IS One of the advantages of the present invention 

< =) <_ ^.^ s - O X \ v-C ^ v ^ t« t 

mplsmen 3 3> n x s » having a secure 

it t t.i p > I ■■■am N added to thf i rewal.j 

as s it roller , As a 

20 > >ui v > o a 1 si ! > a i" >n 

It Is to be understood Idea;;, the present Invention 
illustrated herein is readily impiemen cable by those of 
x h =5. \ sk ~~ - a rhe i ~ a ,;»n: - art -no 
25 t <• o. v q > lied there; 

^ x x s capai tf being loaded and 

n- on; ; on .uypiot _ o< , - a i a v _ < .a. -a ,f 

in ordes - y oi the method c p:s ass steps 

described. Appropriate computer progratn code in combination 
3 0 with 3 cdware t»p >.tc;e.nts many of the elements of the 
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present invention. This computes: cade is often stored on 
storage media. This media can be a diskette; hard dish, 
CD-ROM, optical storage media, or tape, The media can also 
be a memory storage device or collection of memory storage 
B devic v read-on.1 - r random access 

K mmguter program cod can 

he trans ferred to the :g>p copulate hardware over some type 

* % - h in o<a i , 

10 with reference to flo s.arl Illustration (s) Et will be 
understood that each block of the flowchart 
.11 last. ration (s) , and combinations or blocks in the 
flowchart illustration's) , can be implemented by computer 
program ins t ruct ions , 
IS These computer program instructions may be loaded onto 

a general purpose computer, special purpose computer, or 
other programmable data processing apparatus to process a 
machine, such that the instructions which execute on the 
c < noble data u tae 

SO create mesas for implements. eg the functions scarified in 
s t bloc fc{s} . 

These computer program instructions may also be stored 
in a computer- readable memory that can direct a computer or 
3S inn spo t v. - tn~t i oi in 

25 * o > > h , - < . e ..struct ions stored In 

the coto- * - w , 

manufacture including instruction means wh s apl^ment the 
funcs.-i.on .pc-cified in the flowchart, block!:?;. The computer 
program instructions may also be loaded onto a computer or 
30 other programmable data processing apparatus to cause a 
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Si i . S-S 5 

or i. R,i 

execute on the computer or other programmable apparatus 
S provide sueps for ir«plsmanr.i.ap the functions specified in 
the flowchart block (s) < 

Accordingly., b.1 *cha 1 ratio or 

performing th« t fied tunc Ions tabi tat one c { steps; 

10 for performing the specified functions and program 

>.t v v < > < c o 

It will also be understood that each block of flowchart 
illustration <s) , and combinations? ei: blocks in flowchart 
illustration i &} can be implemented by special purpose 

IS .hardware. -based, computer systems that perform the specified 
tunotions ox ? z special pun -<=>e 

hardware and computer instructions.. 

In 1 to K v < » o- , . k - r < n 

clauses are intended to cover the structures describe--:) 

20 herein as performing the recited function and not only 
structural equivalents but also equivalent structures, 
hh a r e f o 3 t - foregoing is 

illustrative of the present, invention and is not to be 
construed as limited to the specific embodiments disclosed, 

25 ; suss as 

*eii 3 > be included 

a , . a. r -e Ai--UM is 

v by the polios - 

ei a J 

30 
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claims x 

1. A method of remotely controlling a. firewall from a 
firewall controller in order to permit the flow of packet 

5 sending a reqirest massage i «. a I: irewai 1 cQitroItr: 

to a firewall request ing that a pinhole he opened; 

sending a request message from a fir: swell controller 
to said w< - < v t > be closed; and 

10 closing said pinhole. 

2. The method of claim 1 further oomprising; 

determining the need for a pinhole in said firewall. 

IB 3, The method of claim 2 wherein said seep of determining 
occurs at said firewall controller-. 

4. The method of claim 3 wherein said firewall controller 
is a mod s aa Wa - c .'roller, 

5. The method of claim 1 further including the step of 
letern ig h c> d v.i t o prio.t o end tag a 

- . ... . s osned , 

2 s therein sa i d re. 

formatted in the H.248 protocol. 

7. The method of claim 1 whsrein said request messages are 
rrmatted in : 2omt i o a p . services (COPS) 
30 protocol, 

-27- 
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B. A firewall controller for permitting the flow of packet 
data, said firewall controller comprising; 

Tt s - -v £ eg ead f o; hod a 

5 firewall; 

means for sending a request message to said firewall 
requesting chat a pinhole be opened le said firewall; and 

means for sending a request message to said firewall 
requesting that said pinhole be closed in said firewall. 

10 

9. The firewall controller of claim 8 wherein said request 
messages are rorowtted in the B.246 protocol. 



10. The firewall oonf roller of claim S wherein said 
IS request messages are formatted in the common open policy 
services (COPS} protocol,: 



11,. The firewall controller of claim 8 wherein said 
firewall controller is a media gateway controller, 

20 

13. a firewall responsive to a firewall controller fox 
permitting the flow of packet date, said firewall 
comprising; 

means for receiving a request message from said 
25 firewall controller requesting that a pinhole be opened in 
said firewall; 

means for opening a pinhole in said firewall? 
means for receiving a request message from said 
firewall controller requesting that said pinhole he closed 
30 in said firewall; and 
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means for closing said pinhole in said firewall. 
13 > the £ixQ< of claim 13 wherein said request <> 

14. The firewall of claim 12 wherein said request massages 
are io a 6 , in poll < C $) 



10 15. A firewall responsive to a madia gateway controller 
tax perrmi.trcing tine flow of packer. data,, said fir-wall 
comprising; 

means for rece -"ine a ro 
gateway controller requesting that a pinhole be opened in 
15 said firewall; 

means for opening a pinhole in said firewall; 
t j > o«!\ g ~ c t . v C * > > \i s s Hi 

gateway controller requesting that said pinhole bo closed 
in said firewall; and 
20 Keens for closing said pinhole in said firewall. 



\ t . c - c % *.h _ _ _ i v C x D 'hiv a 

firewall from a firewall controller in order to permit the 
flow of packet data through said firewall , the computes 
25 ^. j i £ progr&i 

v v comprising 
x aid swell eonta x. for 
- i , that 

a pinhole be opensd; and 
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• program code In said firewall for opening 



computer program cods- for in said firewall for closing 
said pin hole . 

1". The computer program product of claim IS further 
10 comprising; 

computer program code in said firewall controller for 
determining tha need for a. pinhole in said firewall. 

18, The computer program product of claim 16 wherein said 
15 reque t o t < , mi i) .e P Z4<*- r, j -tcc?l, 

19, The computer program product of claim 16 wherein said 
request messages are foroaP:.ted in the common open policy 
services (COPS) protocol. 

20 

20- d-e computer n\ xws or r dec I of claim 17 vhoioin said 
firewall controller is a media gateway controller. 



2.1- A computer program product in a firewall controller, 
25 a-i ^r-' -11 ^ " ^- v i. , h> 

computer prograra product having a medium with a ooopn •: a r 
o:x >ji» n e«b~ei~-' 
c:-'ompr i s ing ; 

computer program coda for determining the need for a 
30 pinhole i» said firewall ; 
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computer program code for sending .5 request message to 
said firewall requesting that a pinhols be opened in said 
firewall,- and 

x cods s to 
5 k4 a * > 

22. c coi:;pt:;i::er program product oi claim 21 wherein said 
reques ed in the H.248 protocol. 

10 

23. The cosapater program product of claim 21 wherein said 
request xaessages are formatted in the cetera?; opur. polo ::y 
services (COPS) protocol. 

15 24., The computer program product of claim 21 wherein said 
firewall controller is a media gateway controller. 

2S. A computer program product in a firewall, said 
firewall responsive to a firewall controller, the computer 
20 program product having a ce:5iuo v a computer program 

embodied thereon., the computer p:rogram product cmenprising; 
computer program code for receiving a request message 
net 1 3 f <- ! > ! ;qu 3 t pinhole be 

opened in said firewall; 
25 e 1 o t v o v. *. v. \ > c 5. v 

firewall ; 

5ai sa d pinho & 

be closed in said firewall; and 



-21- 



wo amnu 



computer program coda for. closing said pinhole in said 
firewall , 

2C>, A computer progzaa product in a firewall,, said 
firewall responsive to a media gateway controller,, the 

prograo embodied ^ >duot 

computer program cods fax receiving a request message 
from saia media gateway controller request icy? that a 
pinhole be opened in said firewall; 

computer program code Cor opening a pinhole in said 
firewall; 

computer program code for receiving a request message 
from said tsedia gateway controller requesting that said 
pinhole be closed in said firewall; end 

computer program code for closing said pinhole in said 
fir sua 11 . 

27. A computer system for remotely controlling a firewall 
trom a i r« $ rile ompris 

a firewall operatively connected to a private computer 
net > oik -f b _ . - > i < 

£"i XI controller c 5 - 5 d 

firewall for remotely instructing said firewall to open and 
close pinholes in said firave 1. 

28 • therein said iirenal 

controller is a media gateway controller acting as a cell 
server its a Vcdhv rout phony ne worh 
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K:TdS0k26?52 



2S, Tha computer sy:;u:&s of clairr. 28 whareiti said s>edia 
gateway controller instructs said fireball to open and 
close } wlea in said firewall such that media g way 
S endpoirias within said private eat work can caa^ao : eafca wi;:t 
media gateway endpoints outs ids aaid prraaia network on a 
par call basis. 
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